Tag: vulnerabilities

A million hacked Facebook accounts isn’t cool. You know what’s even less cool? Fifty million hacked Facebook accounts.

A Friday morning press release from our connect-people-at-any-cost friends in Menlo Park detailed a potentially horrifying situation for the billions of people who use the social media service: Their accounts might have been hacked. Well, at least 50 million of them were “directly affected,” anyway.

The so-called “security update” is light on specifics, but what it does include is extremely troubling.

“We did see this attack being used at a fairly large scale.”

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” reads the statement. “[It’s] clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”

That’s right, almost 50 million accounts were vulnerable to this attack. As for how many were actually exploited?

“Fifty million accounts were directly affected,” explained Facebook VP of product management Guy Rosen on a Friday morning press call, “and we know the vulnerability was used against them.”

“We did see this attack being used at a fairly large scale,” added Rosen. “The attackers could use the account as if they are the account holder.”

The statement itself didn’t provide much additional insight.

“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” continues the statement. “We also don’t know who’s behind these attacks or where they’re based.”

Facebook says it’s fixed the vulnerability, and that 90 million people may suddenly find themselves logged out of their accounts or various Facebooks apps as a result.

The disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.

Facebook is working with law enforcement, and, at least for now, says you don’t need to change your password. But maybe go ahead and log out of your account, everywhere, just to be safe.

“[If] anyone wants to take the precautionary action of logging out of Facebook, they should visit the ‘Security and Login’ section in settings,” advises the warning. “It lists the places people are logged into Facebook with a one-click option to log out of them all.”

So yeah, click through that link and log out of your account on all webpages and apps at once. After that, maybe think long and hard about whether it’s even worth logging back in.

Microsoft’s internal database that it uses to track bugs in its software was reportedly hacked in 2013.

A highly sophisticated hacking group was behind the alleged breach, according to Reuters, which is the second known breach of this kind of corporate database.

Five former employees told the publication about the hack in separate interviews, though Reuters said Microsoft did not disclose the depth of the attack in 2013.

The database in question contained information on critical and unfixed vulnerabilities found in not only the Windows operating system but also some of the most widely used worldwide software, the publication reported.

Microsoft learned of the breach in early 2013 after a hacking group launched a series of attacks against high profile tech companies including Apple, Twitter and Facebook.

The group exploited a flaw in the Java programming language to access employees’ Apple computers, before moving into the company’s network, Reuters said.

Microsoft released a short statement following the attack on 22 February 2013 that said: “As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion.

“We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.”

In an email responding to questions from Reuters, Microsoft said: “Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected.”

A Microsoft spokesperson told IT Pro: “In February 2013 we commented on the discovery of malware, similar to that found by other companies at the time, on a small number of computers including some in our Mac business unit. Our investigation found no evidence of information being stolen that could be used in subsequent attacks.”

This contradicts Reuters’ report, whose sources said that although the bugs in the database had been exploited in hacking attacks, the attackers could have found the information elsewhere.

Reuters said Microsoft didn’t disclose the breach because of this, and because many patches had already been released to customers.

“They absolutely discovered that bugs had been taken,” one source said. “Whether or not those bugs were in use, I don’t think they did a very thorough job of discovering.”

Following the breach, Microsoft improved its security by separating the database from the corporate network and including two authentications to access the information, Reuters reported.

Mozilla had a similar attack in 2015 when an attacker accessed a database which included information on 10 unpatched flaws. One of the flaws was then used to attack Firefox users, which Mozilla told the public about at the time, telling customers to take action.

Mozilla CBO and CLO Denelle Dixon said the foundation released the information about what it knew in 2015 “not only [to] inform and help protect our users, but also to help ourselves and other companies learn, and finally because openness and transparency are core to our mission.”

Reuters wrote that the hacking group has been called Morpho, Butterfly and Wild Neutron but security researchers say it is a proficient and mysterious group and that they cannot determine if it is backed by a state government.

Equifax revelead that a file containing 700,000 UK records was accessed during a data breach in May, giving attackers access to names and contact details. Of that figure, 700,000 accounts had partial credit information and email addresses stolen.

“Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing,” says Adam Donenfeld, a member of the Check Point mobile research team.

The attacker would then potentially be able to control devices and could access capabilities such as GPS tracking, and recording video and audio.

The weaknesses were found in software drivers that come with Qualcomm chipsets.

“The drivers, controlling communication between chipset components, become incorporated into Android builds manufacturers develop for their devices,” the company said in the report.

“Pre-installed on devices at the point of manufacturing, these vulnerable drivers can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers can only issue patches after receiving fixed driver packs from Qualcomm.”

After discovering the faults, Check Point let the chip manufacturer know in April.

Qualcomm confirmed to the firm it would release patches to the device manufacturers. It is then up to the manufacturers to send updates to smartphones already sold, and for end-users to install them.

“This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end-users,” says Donenfeld.

Check Point has developed a QuadRooter scanner app that is available free on Google Play. Running it will tell users if these vulnerabilities exist on their device.

Smartphone models which could be at risk include:

BlackBerry Priv

Blackphone 1 and Blackphone 2

Google Nexus 5X, Nexus 6 and Nexus 6P

HTC One, HTC M9 and HTC 10

LG G4, LG G5, and LG V10

New Moto X by Motorola

OnePlus One, OnePlus 2 and OnePlus 3

Samsung Galaxy S7 and Samsung S7 Edge

Sony Xperia Z Ultra

While the vulnerabilities unearthed by Check Point are serious, Google has said it has an app pre-installed onto most affected devices that will automatically block a malicious app from being downloaded.
A Google spokesperson told Android Central: “Exploitation of these issues depends on users also downloading and installing a malicious application. Our Verify Apps and SafetyNet protections help identify, block and remove applications that exploit vulnerabilities like these.”

However, Android phones that do not come with Google Play Services installed will still be at risk.

The spokesperson also said Google has released a security patch that protects against three of the vulnerabilities and is working on a patch for the fourth.

Smartphone manufacturer BlackBerry has released a statement saying it is aware of QuadRooter and a fix for BlackBerry’s Android devices has been tested and pushed to customers.

Risky behaviour
Much has been done by partners to mitigate the vulnerabilities and protect the device owners.

Those most at risk will be users who side-load Android apps, by downloading APK files, or those who have disabled Google’s Verify Apps feature.

Side-loading apps is often used to acquire apps that are not available in certain regions, like the mobile game Pokémon Go and music app Spotify.

Check Point recommends downloading and installing the latest Android updates as soon as they become available, carefully examining app permissions before giving access, and avoiding app downloads from third-party sources.